[25404] in bugtraq
Re: Patrol security bugs
daemon@ATHENA.MIT.EDU (Mike Crane)
Thu May 9 02:15:56 2002
Date: 7 May 2002 21:07:01 -0000
Message-ID: <20020507210701.19715.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Mike Crane <mcrane@bmc.com>
To: bugtraq@securityfocus.com
In-Reply-To: <370DDA89.31976841@cf6.fr>
I'm trying to clean up old postings that were never
responded to. These answers should clarify BMC's positions
on the posting.
>> 1) Session password encryption weakness :
>>
>> The Patrol session password is protected in a way which
does not prevent
>>
>> from replay attacks. It is possible for an attacker to
capture (wire
>> tapping, network sniffing...) an encrypted password and
to provide it to
>> the
>> BMC API to connect to the agent. The attacker can then
get a shell with
>> the
>> agent without the administrator to know it.
>>
Answer Summary
Issues are more prevalent if agent/console connections are
made on the open Internet. While it is possible for
customers to do this, it isn’t recommended because any
vulnerability from TCP/UDP traffic on machines are
accessible from outside sources. However, these types of
policy decisions are for customer’s to make.
BMC Software has provided customers options to deal with
vulnerabilities of this sort. Options available are:
1. Use PATROL ACLs to reduce what clients that can
connect to an agent.
2. Use the Enhanced Security Interface (ESI) described
in the Patrol API reference manual. BMC’s enhanced host-to-
host privacy using Public Key Infrastructure (PKI)
encryption layers both higher levels of encryption for data
that is transmitted between PATROL components, but the
ability to authenticate the connections that are made
between PATROL components.
Related BMC Work
BMC Support Case 204065
PATROL Agent for Windows NT Version 3.2.09 Technical
Bulletin, “Alert for possible network layer and denial of
service attacks”, that can be found at
http://www.bmc.com/supportu/documents/37/67/3767/100019317/i
ndex.htm.
>> 2) Patrol frames sealing :
>>
>> The algorithm used in Patrol for sealing the frames
exchanged is fairly
>> weak
>> (enhanced checksum). It is thus quite easy for an
attacker to build a
>> spoofing system which sends faked frames to an agent.
>>
Answer Summary
Issues are more prevalent if agent/console connections are
made on the open Internet. While it is possible for
customers to do this, it isn’t recommended because any
vulnerability from TCP/UDP traffic on machines are
accessible from outside sources. However, these types of
policy decisions are for customer’s to make.
A couple of options are available to reduce this
vulnerability:
1. Use PATROL ACLs to reduce what clients that can
connect to an agent.
2. Use the Enhanced Security Interface (ESI) described
in the Patrol API reference manual. BMC’s enhanced host to
host privacy using Public Key Infrastructure (PKI)
encryption layers both higher levels of encryption for data
that is transmitted between PATROL components, but the
ability to authenticate the connections that are made
between PATROL components.
3. Validation of inbound packet addresses (on a border
router) to addresses valid to utilize your network.
4. Disable UDP and only use TCP for communication to
an agent
5. Segment your Patrol users behind a firewall to
limit the usages to the TCP ports.
Related BMC Work
PATROL Agent for Windows NT Version 3.2.09 Technical
Bulletin, “Alert for possible network layer and denial of
service attacks”, that can be found at
http://www.bmc.com/supportu/documents/37/67/3767/100019317/i
ndex.htm.
BMC Support Case 204065
BMC Support Case 333617
>> 3) Service deny on UDP port :
>>
>> The UDP ports accept connexion requests and are thus
exposed to
>> ping-pong
>> from another UDP port (e.g. chargen).
>>
Answer Summary
Issues are more prevalent if agent/console connections are
made on the open Internet. While it is possible for
customers to do this, it isn’t recommended because any
vulnerability from TCP/UDP traffic on machines are
accessible from outside sources. However, these types of
policy decisions are for customer’s to make.
Options available to reduce this vulnerability:
1. Use the Enhanced Security Interface (ESI) described
in the Patrol API reference manual. BMC’s enhanced host to
host privacy using Public Key Infrastructure (PKI)
encryption layers both higher levels of encryption for data
that is transmitted between PATROL components, but the
ability to authenticate the connections that are made
between PATROL components.
2. Ensure your UDP diagnostic ports are disabled on
your agents.
3. Validation of inbound packet addresses (on a border
router) to addresses valid to utilize your network.
4. Disable UDP and only use TCP for communication to
an agent
5. Segment your Patrol users behind a firewall to
limit the usages to the UDP port.
Related BMC Work
BMC Support Case 238659
Regards,
Mike Crane
BMC Security Architect
